Eduardo Henrique wrote: > Hi, I'm developing a Graduation Work about Database security. > My idea is develop an application that connect in an database > (in this case Postgres) and make some security verification > of that db. The problem is that my verification only can be > in a dabatase scope. I can't include Network and OS threats. > Unfortunaly i didn't find a good material about postgres > security. The good things that i found (articles and > checklists) were about MSQLSERVER and Oracle. > I would like to know if you have any material about this > subject (book, article, checklists and etc) that eventualy > could help me in this work. Here is my personal security checklist for PostgreSQL: - Check that there is no SQL function with SECURITY DEFINER. - Check that only the DBA has SUPERUSER, CREATEDB oder CREATEROLE privileges. - Check that no password is equal to the user name or some "initial standard password" that your company uses. - Check that ssl=on. - Check that nobody except for superusers has any privileges on pg_catalog.pg_authid. - Check that you are running the latest release for your version of PostgreSQL. - Check that no privileges on objects are granted to PUBLIC. - Check that no privileges on objects were granted WITH GRANT OPTION. - Check that only local users have "trust" authentication in pg_hba.conf. - Check that pg_hba.conf forces remote connections to use SSL. - Check that pg_hba.conf forbids remote connections to use "password", "crypt" or "ident" authentication. Most of these can be checked with normal SQL statements. For the ones that have to examine pg_hba.conf, I use an untrusted PL/Perl function that reads the file. Yours, Laurenz Albe -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
